Search criteria
6 vulnerabilities found for icinga_db_web by icinga
FKIE_CVE-2025-61789
Vulnerability from fkie_nvd - Published: 2025-10-16 17:15 - Updated: 2025-12-11 18:24
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| icinga | icinga_db_web | * | |
| icinga | icinga_db_web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2B379CF-663D-4407-A826-8996CD761C10",
"versionEndExcluding": "1.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B58B59D2-206D-40B0-823F-E0DFACE93056",
"versionEndExcluding": "1.2.3",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used."
}
],
"id": "CVE-2025-61789",
"lastModified": "2025-12-11T18:24:46.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-16T17:15:34.590",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-204"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53840
Vulnerability from fkie_nvd - Published: 2025-07-16 14:15 - Updated: 2025-12-11 18:26
Severity ?
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| icinga | icinga_db_web | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66E2DDA8-2B0B-4BEE-9AD7-E62DB25EF134",
"versionEndExcluding": "1.2.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."
},
{
"lang": "es",
"value": "Icinga DB Web proporciona una interfaz gr\u00e1fica para la monitorizaci\u00f3n de Icinga. A partir de la versi\u00f3n 1.2.0 y anteriores a la 1.2.2, los usuarios con acceso a las Vistas de Dependencias de Icinga pueden ver hosts y servicios que no deber\u00edan en el mapa de dependencias. Sin embargo, no se revelar\u00e1 el nombre de un objeto ni se acceder\u00e1 a la vista detallada de un host o servicio. Tenga en cuenta que esto solo afecta a las restricciones `filter/hosts` y `filter/services`. `filter/objects` no se ve afectado y restringe los objetos como deber\u00eda. La versi\u00f3n 1.2.2 aplica estas restricciones correctamente. Como soluci\u00f3n alternativa, se puede actualizar a la versi\u00f3n 1.1.3."
}
],
"id": "CVE-2025-53840",
"lastModified": "2025-12-11T18:26:44.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-16T14:15:28.173",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2025-61789 (GCVE-0-2025-61789)
Vulnerability from nvd – Published: 2025-10-16 17:00 – Updated: 2025-10-16 18:03
VLAI?
Title
Icinga DB Web hidden/protected custom variables are prone to filter enumeration
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingadb-web |
Affected:
< 1.1.4
Affected: >= 1.2.0, < 1.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:04.157632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:03:11.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.4"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:00:32.247Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"
},
{
"name": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18"
}
],
"source": {
"advisory": "GHSA-w57j-28jc-8429",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web hidden/protected custom variables are prone to filter enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61789",
"datePublished": "2025-10-16T17:00:32.247Z",
"dateReserved": "2025-09-30T19:43:49.903Z",
"dateUpdated": "2025-10-16T18:03:11.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53840 (GCVE-0-2025-53840)
Vulnerability from nvd – Published: 2025-07-16 13:34 – Updated: 2025-07-18 14:56
VLAI?
Title
Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingadb-web |
Affected:
>= 1.2.0, < 1.2.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:55:55.415220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:56:03.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:34:37.477Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473"
},
{
"name": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2"
}
],
"source": {
"advisory": "GHSA-q2w7-mrx8-5473",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53840",
"datePublished": "2025-07-16T13:34:37.477Z",
"dateReserved": "2025-07-09T14:14:52.532Z",
"dateUpdated": "2025-07-18T14:56:03.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61789 (GCVE-0-2025-61789)
Vulnerability from cvelistv5 – Published: 2025-10-16 17:00 – Updated: 2025-10-16 18:03
VLAI?
Title
Icinga DB Web hidden/protected custom variables are prone to filter enumeration
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingadb-web |
Affected:
< 1.1.4
Affected: >= 1.2.0, < 1.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:04.157632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:03:11.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.4"
},
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:00:32.247Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"
},
{
"name": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18"
}
],
"source": {
"advisory": "GHSA-w57j-28jc-8429",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web hidden/protected custom variables are prone to filter enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61789",
"datePublished": "2025-10-16T17:00:32.247Z",
"dateReserved": "2025-09-30T19:43:49.903Z",
"dateUpdated": "2025-10-16T18:03:11.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53840 (GCVE-0-2025-53840)
Vulnerability from cvelistv5 – Published: 2025-07-16 13:34 – Updated: 2025-07-18 14:56
VLAI?
Title
Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability
Summary
Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icinga | icingadb-web |
Affected:
>= 1.2.0, < 1.2.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-18T14:55:55.415220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T14:56:03.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icingadb-web",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren\u0027t meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host\u0027s or service\u0027s detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:34:37.477Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-q2w7-mrx8-5473"
},
{
"name": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Icinga/icingadb-web/releases/tag/v1.2.2"
}
],
"source": {
"advisory": "GHSA-q2w7-mrx8-5473",
"discovery": "UNKNOWN"
},
"title": "Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53840",
"datePublished": "2025-07-16T13:34:37.477Z",
"dateReserved": "2025-07-09T14:14:52.532Z",
"dateUpdated": "2025-07-18T14:56:03.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}